diff options
Diffstat (limited to 'src/libstrongswan/utils')
22 files changed, 1996 insertions, 83 deletions
diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c index cb83d9830..b6015fb35 100644 --- a/src/libstrongswan/utils/backtrace.c +++ b/src/libstrongswan/utils/backtrace.c @@ -50,6 +50,284 @@ struct private_backtrace_t { void *frames[]; }; +#ifdef HAVE_DLADDR +#ifdef HAVE_BFD_H + +#include <bfd.h> +#include <utils/hashtable.h> +#include <threading/mutex.h> + +/** + * Hashtable-cached bfd handle + */ +typedef struct { + /** binary file name on disk */ + char *filename; + /** bfd handle */ + bfd *abfd; + /** loaded symbols */ + asymbol **syms; +} bfd_entry_t; + +/** + * Destroy a bfd_entry + */ +static void bfd_entry_destroy(bfd_entry_t *this) +{ + free(this->filename); + free(this->syms); + bfd_close(this->abfd); + free(this); +} + +/** + * Data to pass to find_addr() + */ +typedef struct { + /** used bfd entry */ + bfd_entry_t *entry; + /** backtrace address */ + bfd_vma vma; + /** stream to log to */ + FILE *file; + /** TRUE if complete */ + bool found; +} bfd_find_data_t; + +/** + * bfd entry cache + */ +static hashtable_t *bfds; + +static mutex_t *bfd_mutex; + +/** + * Hashtable hash function + */ +static u_int bfd_hash(char *key) +{ + return chunk_hash(chunk_create(key, strlen(key))); +} + +/** + * Hashtable equals function + */ +static bool bfd_equals(char *a, char *b) +{ + return streq(a, b); +} + +/** + * See header. + */ +void backtrace_init() +{ + bfd_init(); + bfds = hashtable_create((hashtable_hash_t)bfd_hash, + (hashtable_equals_t)bfd_equals, 8); + bfd_mutex = mutex_create(MUTEX_TYPE_DEFAULT); +} + +/** + * See header. + */ +void backtrace_deinit() +{ + enumerator_t *enumerator; + bfd_entry_t *entry; + char *key; + + enumerator = bfds->create_enumerator(bfds); + while (enumerator->enumerate(enumerator, &key, &entry)) + { + bfds->remove_at(bfds, enumerator); + bfd_entry_destroy(entry); + } + enumerator->destroy(enumerator); + + bfds->destroy(bfds); + bfd_mutex->destroy(bfd_mutex); +} + +/** + * Find and print information to an address + */ +static void find_addr(bfd *abfd, asection *section, bfd_find_data_t *data) +{ + bfd_size_type size; + bfd_vma vma; + const char *source; + const char *function; + u_int line; + + if (!data->found || (bfd_get_section_flags(abfd, section) & SEC_ALLOC) != 0) + { + vma = bfd_get_section_vma(abfd, section); + if (data->vma >= vma) + { + size = bfd_get_section_size(section); + if (data->vma < vma + size) + { + data->found = bfd_find_nearest_line(abfd, section, + data->entry->syms, data->vma - vma, + &source, &function, &line); + if (data->found) + { + if (source || function) + { + fprintf(data->file, " -> "); + if (function) + { + fprintf(data->file, "\e[34m%s() ", function); + } + if (source) + { + fprintf(data->file, "\e[32m@ %s:%d", source, line); + } + fprintf(data->file, "\e[0m\n"); + } + } + } + } + } +} + +/** + * Find a cached bfd entry, create'n'cache if not found + */ +static bfd_entry_t *get_bfd_entry(char *filename) +{ + bool dynamic = FALSE, ok = FALSE; + bfd_entry_t *entry; + long size; + + /* check cache */ + entry = bfds->get(bfds, filename); + if (entry) + { + return entry; + } + + INIT(entry, + .abfd = bfd_openr(filename, NULL), + ); + + if (!entry->abfd) + { + free(entry); + return NULL; + } +#ifdef BFD_DECOMPRESS + entry->abfd->flags |= BFD_DECOMPRESS; +#endif + if (bfd_check_format(entry->abfd, bfd_archive) == 0 && + bfd_check_format_matches(entry->abfd, bfd_object, NULL)) + { + if (bfd_get_file_flags(entry->abfd) & HAS_SYMS) + { + size = bfd_get_symtab_upper_bound(entry->abfd); + if (size == 0) + { + size = bfd_get_dynamic_symtab_upper_bound(entry->abfd); + } + if (size >= 0) + { + entry->syms = malloc(size); + if (dynamic) + { + ok = bfd_canonicalize_dynamic_symtab(entry->abfd, + entry->syms) >= 0; + } + else + { + ok = bfd_canonicalize_symtab(entry->abfd, + entry->syms) >= 0; + } + } + } + } + if (ok) + { + entry->filename = strdup(filename); + bfds->put(bfds, entry->filename, entry); + return entry; + } + bfd_entry_destroy(entry); + return NULL; +} + +/** + * Print the source file with line number to file, libbfd variant + */ +static void print_sourceline(FILE *file, char *filename, void *ptr) +{ + bfd_entry_t *entry; + bfd_find_data_t data = { + .file = file, + .vma = (uintptr_t)ptr, + }; + bool old = FALSE; + + bfd_mutex->lock(bfd_mutex); + if (lib->leak_detective) + { + old = lib->leak_detective->set_state(lib->leak_detective, FALSE); + } + entry = get_bfd_entry(filename); + if (entry) + { + data.entry = entry; + bfd_map_over_sections(entry->abfd, (void*)find_addr, &data); + } + if (lib->leak_detective) + { + lib->leak_detective->set_state(lib->leak_detective, old); + } + bfd_mutex->unlock(bfd_mutex); +} + +#else /* !HAVE_BFD_H */ + +void backtrace_init() {} +void backtrace_deinit() {} + +/** + * Print the source file with line number to file, slow addr2line variant + */ +static void print_sourceline(FILE *file, char *filename, void *ptr) +{ + char cmd[1024]; + FILE *output; + int c; + + snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", filename, ptr); + output = popen(cmd, "r"); + if (output) + { + fprintf(file, " -> \e[32m"); + while (TRUE) + { + c = getc(output); + if (c == '\n' || c == EOF) + { + break; + } + fputc(c, file); + } + pclose(output); + fprintf(file, "\e[0m\n"); + } +} + +#endif /* HAVE_BFD_H */ + +#else /* !HAVE_DLADDR */ + +void backtrace_init() {} +void backtrace_deinit() {} + +#endif /* HAVE_DLADDR */ + METHOD(backtrace_t, log_, void, private_backtrace_t *this, FILE *file, bool detailed) { @@ -67,9 +345,6 @@ METHOD(backtrace_t, log_, void, if (dladdr(this->frames[i], &info)) { - char cmd[1024]; - FILE *output; - int c; void *ptr = this->frames[i]; if (strstr(info.dli_fname, ".so")) @@ -89,37 +364,14 @@ METHOD(backtrace_t, log_, void, } if (detailed) { - fprintf(file, " -> \e[32m"); - snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", - info.dli_fname, ptr); - output = popen(cmd, "r"); - if (output) - { - while (TRUE) - { - c = getc(output); - if (c == '\n' || c == EOF) - { - break; - } - fputc(c, file); - } - pclose(output); - } - else - { - #endif /* HAVE_DLADDR */ - fprintf(file, " %s\n", strings[i]); - #ifdef HAVE_DLADDR - } - fprintf(file, "\n\e[0m"); + print_sourceline(file, (char*)info.dli_fname, ptr); } } else +#endif /* HAVE_DLADDR */ { fprintf(file, " %s\n", strings[i]); } -#endif /* HAVE_DLADDR */ } free (strings); #else /* !HAVE_BACKTRACE */ @@ -248,3 +500,20 @@ backtrace_t *backtrace_create(int skip) return &this->public; } +/** + * See header + */ +void backtrace_dump(char *label, FILE *file, bool detailed) +{ + backtrace_t *backtrace; + + backtrace = backtrace_create(2); + + if (label) + { + fprintf(file, "Debug backtrace: %s\n", label); + } + backtrace->log(backtrace, file, detailed); + backtrace->destroy(backtrace); +} + diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h index 9d59d2503..aeeba4dd6 100644 --- a/src/libstrongswan/utils/backtrace.h +++ b/src/libstrongswan/utils/backtrace.h @@ -77,4 +77,23 @@ struct backtrace_t { */ backtrace_t *backtrace_create(int skip); +/** + * Create a backtrace, dump it and clean it up. + * + * @param label description to print for this backtrace, or NULL + * @param file FILE to log backtrace to + * @param detailed TRUE to resolve line/file using addr2line (slow) + */ +void backtrace_dump(char *label, FILE *file, bool detailed); + +/** + * Initialize backtracing framework. + */ +void backtrace_init(); + +/** + * Deinitialize backtracing framework. + */ +void backtrace_deinit(); + #endif /** BACKTRACE_H_ @}*/ diff --git a/src/libstrongswan/utils/blocking_queue.c b/src/libstrongswan/utils/blocking_queue.c new file mode 100644 index 000000000..c70184198 --- /dev/null +++ b/src/libstrongswan/utils/blocking_queue.c @@ -0,0 +1,129 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012 Giuliano Grassi + * Copyright (C) 2012 Ralf Sager + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "blocking_queue.h" + +#include <threading/mutex.h> +#include <threading/thread.h> +#include <threading/condvar.h> +#include <utils/linked_list.h> + +typedef struct private_blocking_queue_t private_blocking_queue_t; + +/** + * Private data of a blocking_queue_t object. + */ +struct private_blocking_queue_t { + + /** + * Public part + */ + blocking_queue_t public; + + /** + * Linked list containing all items in the queue + */ + linked_list_t *list; + + /** + * Mutex used to synchronize access to the queue + */ + mutex_t *mutex; + + /** + * Condvar used to wait for items + */ + condvar_t *condvar; + +}; + +METHOD(blocking_queue_t, enqueue, void, + private_blocking_queue_t *this, void *item) +{ + this->mutex->lock(this->mutex); + this->list->insert_first(this->list, item); + this->condvar->signal(this->condvar); + this->mutex->unlock(this->mutex); +} + +METHOD(blocking_queue_t, dequeue, void*, + private_blocking_queue_t *this) +{ + bool oldstate; + void *item; + + + this->mutex->lock(this->mutex); + thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex); + /* ensure that a canceled thread does not dequeue any items */ + thread_cancellation_point(); + while (this->list->remove_last(this->list, &item) != SUCCESS) + { + oldstate = thread_cancelability(TRUE); + this->condvar->wait(this->condvar, this->mutex); + thread_cancelability(oldstate); + } + thread_cleanup_pop(TRUE); + return item; +} + +METHOD(blocking_queue_t, destroy, void, + private_blocking_queue_t *this) +{ + this->list->destroy(this->list); + this->condvar->destroy(this->condvar); + this->mutex->destroy(this->mutex); + free(this); +} + +METHOD(blocking_queue_t, destroy_offset, void, + private_blocking_queue_t *this, size_t offset) +{ + this->list->invoke_offset(this->list, offset); + destroy(this); +} + +METHOD(blocking_queue_t, destroy_function, void, + private_blocking_queue_t *this, void (*fn)(void*)) +{ + this->list->invoke_function(this->list, (linked_list_invoke_t)fn); + destroy(this); +} + +/* + * Described in header. + */ +blocking_queue_t *blocking_queue_create() +{ + private_blocking_queue_t *this; + + INIT(this, + .public = { + .enqueue = _enqueue, + .dequeue = _dequeue, + .destroy = _destroy, + .destroy_offset = _destroy_offset, + .destroy_function = _destroy_function, + }, + .list = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), + ); + + return &this->public; +} + diff --git a/src/libstrongswan/utils/blocking_queue.h b/src/libstrongswan/utils/blocking_queue.h new file mode 100644 index 000000000..cf2712cf4 --- /dev/null +++ b/src/libstrongswan/utils/blocking_queue.h @@ -0,0 +1,97 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012 Giuliano Grassi + * Copyright (C) 2012 Ralf Sager + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup blocking_queue blocking_queue + * @{ @ingroup utils + */ + +#ifndef BLOCKING_QUEUE_H_ +#define BLOCKING_QUEUE_H_ + +typedef struct blocking_queue_t blocking_queue_t; + +#include <library.h> + +/** + * Class implementing a synchronized blocking queue based on linked_list_t + */ +struct blocking_queue_t { + + /** + * Inserts a new item at the tail of the queue + * + * @param item item to insert in queue + */ + void (*enqueue)(blocking_queue_t *this, void *item); + + /** + * Removes the first item in the queue and returns its value. + * If the queue is empty, this call blocks until a new item is inserted. + * + * @note This is a thread cancellation point + * + * @return removed item + */ + void *(*dequeue)(blocking_queue_t *this); + + /** + * Destroys a blocking_queue_t object. + * + * @note No thread must wait in dequeue() when this function is called + */ + void (*destroy)(blocking_queue_t *this); + + /** + * Destroys a queue and its objects using the given destructor. + * + * If a queue and the contained objects should be destroyed, use + * destroy_offset. The supplied offset specifies the destructor to + * call on each object. The offset may be calculated using the offsetof + * macro, e.g.: queue->destroy_offset(queue, offsetof(object_t, destroy)); + * + * @note No thread must wait in dequeue() when this function is called + * + * @param offset offset of the objects destructor + */ + void (*destroy_offset)(blocking_queue_t *this, size_t offset); + + /** + * Destroys a queue and its objects using a cleanup function. + * + * If a queue and its contents should get destroyed using a specific + * cleanup function, use destroy_function. This is useful when the + * list contains malloc()-ed blocks which should get freed, + * e.g.: queue->destroy_function(queue, free); + * + * @note No thread must wait in dequeue() when this function is called + * + * @param function function to call on each object + */ + void (*destroy_function)(blocking_queue_t *this, void (*)(void*)); + +}; + +/** + * Creates an empty queue object. + * + * @return blocking_queue_t object. + */ +blocking_queue_t *blocking_queue_create(); + +#endif /** BLOCKING_QUEUE_H_ @}*/ + diff --git a/src/libstrongswan/utils/capabilities.c b/src/libstrongswan/utils/capabilities.c new file mode 100644 index 000000000..34128d010 --- /dev/null +++ b/src/libstrongswan/utils/capabilities.c @@ -0,0 +1,291 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "capabilities.h" + +#include <errno.h> +#include <string.h> +#include <sys/types.h> +#include <pwd.h> +#include <grp.h> +#include <unistd.h> +#ifdef HAVE_PRCTL +# include <sys/prctl.h> +#endif /* HAVE_PRCTL */ + +#include <debug.h> + +#if !defined(HAVE_GETPWNAM_R) || !defined(HAVE_GETGRNAM_R) +# include <threading/mutex.h> +# define EMULATE_R_FUNCS +#endif + +typedef struct private_capabilities_t private_capabilities_t; + +/** + * Private data of an capabilities_t object. + */ +struct private_capabilities_t { + + /** + * Public capabilities_t interface. + */ + capabilities_t public; + + /** + * user ID to switch during rights dropping + */ + uid_t uid; + + /** + * group ID to switch during rights dropping + */ + gid_t gid; + + /** + * capabilities to keep + */ +#ifdef CAPABILITIES_LIBCAP + cap_t caps; +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + struct __user_cap_data_struct caps[2]; +#endif /* CAPABILITIES_NATIVE */ + +#ifdef EMULATE_R_FUNCS + /** + * mutex to emulate get(pw|gr)nam_r functions + */ + mutex_t *mutex; +#endif +}; + +METHOD(capabilities_t, keep, void, + private_capabilities_t *this, u_int cap) +{ +#ifdef CAPABILITIES_LIBCAP + cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET); + cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET); + cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET); +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + int i = 0; + + if (cap >= 32) + { + i++; + cap -= 32; + } + this->caps[i].effective |= 1 << cap; + this->caps[i].permitted |= 1 << cap; + this->caps[i].inheritable |= 1 << cap; +#endif /* CAPABILITIES_NATIVE */ +} + +METHOD(capabilities_t, get_uid, uid_t, + private_capabilities_t *this) +{ + return this->uid; +} + +METHOD(capabilities_t, get_gid, gid_t, + private_capabilities_t *this) +{ + return this->gid; +} + +METHOD(capabilities_t, set_uid, void, + private_capabilities_t *this, uid_t uid) +{ + this->uid = uid; +} + +METHOD(capabilities_t, set_gid, void, + private_capabilities_t *this, gid_t gid) +{ + this->gid = gid; +} + +METHOD(capabilities_t, resolve_uid, bool, + private_capabilities_t *this, char *username) +{ + struct passwd *pwp; + int err; + +#ifdef HAVE_GETPWNAM_R + struct passwd passwd; + char buf[1024]; + + err = getpwnam_r(username, &passwd, buf, sizeof(buf), &pwp); + if (pwp) + { + this->uid = pwp->pw_uid; + } +#else /* HAVE GETPWNAM_R */ + this->mutex->lock(this->mutex); + pwp = getpwnam(username); + if (pwp) + { + this->uid = pwp->pw_uid; + } + err = errno; + this->mutex->unlock(this->mutex); +#endif /* HAVE GETPWNAM_R */ + if (pwp) + { + return TRUE; + } + DBG1(DBG_LIB, "resolving user '%s' failed: %s", username, + err ? strerror(err) : "user not found"); + return FALSE; +} + +METHOD(capabilities_t, resolve_gid, bool, + private_capabilities_t *this, char *groupname) +{ + struct group *grp; + int err; + +#ifdef HAVE_GETGRNAM_R + struct group group; + char buf[1024]; + + err = getgrnam_r(groupname, &group, buf, sizeof(buf), &grp); + if (grp) + { + this->gid = grp->gr_gid; + } +#else /* HAVE_GETGRNAM_R */ + this->mutex->lock(this->mutex); + grp = getgrnam(groupname); + if (grp) + { + this->gid = grp->gr_gid; + } + err = errno; + this->mutex->unlock(this->mutex); +#endif /* HAVE_GETGRNAM_R */ + if (grp) + { + return TRUE; + } + DBG1(DBG_LIB, "resolving user '%s' failed: %s", groupname, + err ? strerror(err) : "group not found"); + return FALSE; +} + +METHOD(capabilities_t, drop, bool, + private_capabilities_t *this) +{ +#ifdef HAVE_PRCTL + prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); +#endif + + if (this->gid && setgid(this->gid) != 0) + { + DBG1(DBG_LIB, "change to unprivileged group %u failed: %s", + this->gid, strerror(errno)); + return FALSE; + } + if (this->uid && setuid(this->uid) != 0) + { + DBG1(DBG_LIB, "change to unprivileged user %u failed: %s", + this->uid, strerror(errno)); + return FALSE; + } + +#ifdef CAPABILITIES_LIBCAP + if (cap_set_proc(this->caps) != 0) + { + DBG1(DBG_LIB, "dropping capabilities failed: %s", strerror(errno)); + return FALSE; + } +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + struct __user_cap_header_struct header = { +#if defined(_LINUX_CAPABILITY_VERSION_3) + .version = _LINUX_CAPABILITY_VERSION_3, +#elif defined(_LINUX_CAPABILITY_VERSION_2) + .version = _LINUX_CAPABILITY_VERSION_2, +#elif defined(_LINUX_CAPABILITY_VERSION_1) + .version = _LINUX_CAPABILITY_VERSION_1, +#else + .version = _LINUX_CAPABILITY_VERSION, +#endif + }; + if (capset(&header, this->caps) != 0) + { + DBG1(DBG_LIB, "dropping capabilities failed: %s", strerror(errno)); + return FALSE; + } +#endif /* CAPABILITIES_NATIVE */ +#ifdef CAPABILITIES + DBG1(DBG_LIB, "dropped capabilities, running as uid %u, gid %u", + this->uid, this->gid); +#endif /* CAPABILITIES */ + return TRUE; +} + +METHOD(capabilities_t, destroy, void, + private_capabilities_t *this) +{ +#ifdef EMULATE_R_FUNCS + this->mutex->destroy(this->mutex); +#endif /* EMULATE_R_FUNCS */ +#ifdef CAPABILITIES_LIBCAP + cap_free(this->caps); +#endif /* CAPABILITIES_LIBCAP */ + free(this); +} + +/** + * See header + */ +capabilities_t *capabilities_create() +{ + private_capabilities_t *this; + + INIT(this, + .public = { + .keep = _keep, + .get_uid = _get_uid, + .get_gid = _get_gid, + .set_uid = _set_uid, + .set_gid = _set_gid, + .resolve_uid = _resolve_uid, + .resolve_gid = _resolve_gid, + .drop = _drop, + .destroy = _destroy, + }, + ); + +#ifdef CAPABILITIES +#ifdef CAPABILITIES_LIBCAP + this->caps = cap_init(); +#endif /* CAPABILITIES_LIBCAP */ + if (lib->leak_detective) + { + keep(this, CAP_SYS_NICE); + } +#endif /* CAPABILITIES */ + +#ifdef EMULATE_R_FUNCS + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); +#endif /* EMULATE_R_FUNCS */ + + return &this->public; +} diff --git a/src/libstrongswan/utils/capabilities.h b/src/libstrongswan/utils/capabilities.h new file mode 100644 index 000000000..cd23cbf10 --- /dev/null +++ b/src/libstrongswan/utils/capabilities.h @@ -0,0 +1,107 @@ +/* + * Copyright (C) 2012 Martin Willi + * Copyright (C) 2012 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup capabilities capabilities + * @{ @ingroup utils + */ + +#ifndef CAPABILITIES_H_ +#define CAPABILITIES_H_ + +#include <library.h> +#ifdef HAVE_SYS_CAPABILITY_H +# include <sys/capability.h> +#elif defined(CAPABILITIES_NATIVE) +# include <linux/capability.h> +#endif + +typedef struct capabilities_t capabilities_t; + +/** + * POSIX capability dropping abstraction layer. + */ +struct capabilities_t { + + /** + * Register a capability to keep while calling drop(). + * + * @param cap capability to keep + */ + void (*keep)(capabilities_t *this, u_int cap); + + /** + * Get the user ID set through set_uid/resolve_uid. + * + * @return currently set user ID + */ + uid_t (*get_uid)(capabilities_t *this); + + /** + * Get the group ID set through set_gid/resolve_gid. + * + * @return currently set group ID + */ + gid_t (*get_gid)(capabilities_t *this); + + /** + * Set the numerical user ID to use during rights dropping. + * + * @param uid user ID to use + */ + void (*set_uid)(capabilities_t *this, uid_t uid); + + /** + * Set the numerical group ID to use during rights dropping. + * + * @param gid group ID to use + */ + void (*set_gid)(capabilities_t *this, gid_t gid); + + /** + * Resolve a username and set the user ID accordingly. + * + * @param username username get the uid for + * @return TRUE if username resolved and uid set + */ + bool (*resolve_uid)(capabilities_t *this, char *username); + + /** + * Resolve a groupname and set the group ID accordingly. + * + * @param groupname groupname to get the gid for + * @return TRUE if groupname resolved and gid set + */ + bool (*resolve_gid)(capabilities_t *this, char *groupname); + + /** + * Drop all capabilities not previously passed to keep(), switch to UID/GID. + * + * @return TRUE if capability drop successful + */ + bool (*drop)(capabilities_t *this); + + /** + * Destroy a capabilities_t. + */ + void (*destroy)(capabilities_t *this); +}; + +/** + * Create a capabilities instance. + */ +capabilities_t *capabilities_create(); + +#endif /** CAPABILITIES_H_ @}*/ diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c index fb461b448..53c94f9dd 100644 --- a/src/libstrongswan/utils/enumerator.c +++ b/src/libstrongswan/utils/enumerator.c @@ -121,7 +121,7 @@ static bool enumerate_dir_enum(dir_enum_t *this, char **relative, /** * See header */ -enumerator_t* enumerator_create_directory(char *path) +enumerator_t* enumerator_create_directory(const char *path) { int len; dir_enum_t *this = malloc_thing(dir_enum_t); @@ -168,9 +168,9 @@ typedef struct { /** current position */ char *pos; /** separater chars */ - char *sep; + const char *sep; /** trim chars */ - char *trim; + const char *trim; } token_enum_t; /** @@ -187,7 +187,8 @@ static void destroy_token_enum(token_enum_t *this) */ static bool enumerate_token_enum(token_enum_t *this, char **token) { - char *pos = NULL, *tmp, *sep, *trim; + const char *sep, *trim; + char *pos = NULL, *tmp; bool last = FALSE; /* trim leading characters/separators */ @@ -303,7 +304,8 @@ static bool enumerate_token_enum(token_enum_t *this, char **token) /** * See header */ -enumerator_t* enumerator_create_token(char *string, char *sep, char *trim) +enumerator_t* enumerator_create_token(const char *string, const char *sep, + const char *trim) { token_enum_t *enumerator = malloc_thing(token_enum_t); diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/utils/enumerator.h index 12b5712ae..8c3d70173 100644 --- a/src/libstrongswan/utils/enumerator.h +++ b/src/libstrongswan/utils/enumerator.h @@ -93,7 +93,7 @@ enumerator_t *enumerator_create_single(void *item, void (*cleanup)(void *item)); * @param path path of the directory * @return the directory enumerator, NULL on failure */ -enumerator_t* enumerator_create_directory(char *path); +enumerator_t* enumerator_create_directory(const char *path); /** * Create an enumerator over tokens of a string. @@ -106,7 +106,8 @@ enumerator_t* enumerator_create_directory(char *path); * @param trim characters to trim from tokens * @return enumerator over char* tokens */ -enumerator_t* enumerator_create_token(char *string, char *sep, char *trim); +enumerator_t* enumerator_create_token(const char *string, const char *sep, + const char *trim); /** * Creates an enumerator which enumerates over enumerated enumerators :-). diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c index 33f645170..d181d8ec8 100644 --- a/src/libstrongswan/utils/hashtable.c +++ b/src/libstrongswan/utils/hashtable.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2011 Tobias Brunner + * Copyright (C) 2008-2012 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -251,16 +251,21 @@ METHOD(hashtable_t, put, void*, return old_value; } -METHOD(hashtable_t, get, void*, - private_hashtable_t *this, void *key) +static void *get_internal(private_hashtable_t *this, void *key, + hashtable_equals_t equals) { void *value = NULL; pair_t *pair; + if (!this->count) + { /* no need to calculate the hash */ + return NULL; + } + pair = this->table[this->hash(key) & this->mask]; while (pair) { - if (this->equals(key, pair->key)) + if (equals(key, pair->key)) { value = pair->value; break; @@ -270,6 +275,18 @@ METHOD(hashtable_t, get, void*, return value; } +METHOD(hashtable_t, get, void*, + private_hashtable_t *this, void *key) +{ + return get_internal(this, key, this->equals); +} + +METHOD(hashtable_t, get_match, void*, + private_hashtable_t *this, void *key, hashtable_equals_t match) +{ + return get_internal(this, key, match); +} + METHOD(hashtable_t, remove_, void*, private_hashtable_t *this, void *key) { @@ -409,6 +426,7 @@ hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals, .public = { .put = _put, .get = _get, + .get_match = _get_match, .remove = _remove_, .remove_at = (void*)_remove_at, .get_count = _get_count, diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h index 27aca9b68..0a21ca373 100644 --- a/src/libstrongswan/utils/hashtable.h +++ b/src/libstrongswan/utils/hashtable.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2010 Tobias Brunner + * Copyright (C) 2008-2012 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -78,6 +78,22 @@ struct hashtable_t { void *(*get) (hashtable_t *this, void *key); /** + * Returns the value with a matching key, if the hash table contains such an + * entry, otherwise NULL is returned. + * + * Compared to get() the given match function is used to compare the keys + * for equality. The hash function does have to be deviced properly in + * order to make this work if the match function compares keys differently + * than the equals function provided to the constructor. This basically + * allows to enumerate all entries with the same hash value. + * + * @param key the key to match against + * @param match match function to be used when comparing keys + * @return the value, NULL if not found + */ + void *(*get_match) (hashtable_t *this, void *key, hashtable_equals_t match); + + /** * Removes the value with the given key from the hash table and returns the * removed value (or NULL if no such value existed). * diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c index d3020a5d0..e17b6ad02 100644 --- a/src/libstrongswan/utils/host.c +++ b/src/libstrongswan/utils/host.c @@ -74,20 +74,16 @@ METHOD(host_t, get_sockaddr_len, socklen_t*, METHOD(host_t, is_anyaddr, bool, private_host_t *this) { + static const u_int8_t zeroes[IPV6_LEN]; + switch (this->address.sa_family) { case AF_INET: { - u_int8_t zeroes[IPV4_LEN]; - - memset(zeroes, 0, IPV4_LEN); return memeq(zeroes, &(this->address4.sin_addr.s_addr), IPV4_LEN); } case AF_INET6: { - u_int8_t zeroes[IPV6_LEN]; - - memset(zeroes, 0, IPV6_LEN); return memeq(zeroes, &(this->address6.sin6_addr.s6_addr), IPV6_LEN); } default: @@ -100,7 +96,7 @@ METHOD(host_t, is_anyaddr, bool, /** * Described in header. */ -int host_printf_hook(char *dst, size_t dstlen, printf_hook_spec_t *spec, +int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, const void *const *args) { private_host_t *this = *((private_host_t**)(args[0])); @@ -110,7 +106,7 @@ int host_printf_hook(char *dst, size_t dstlen, printf_hook_spec_t *spec, { snprintf(buffer, sizeof(buffer), "(null)"); } - else if (is_anyaddr(this)) + else if (is_anyaddr(this) && !spec->plus) { snprintf(buffer, sizeof(buffer), "%%any%s", this->address.sa_family == AF_INET6 ? "6" : ""); @@ -152,9 +148,9 @@ int host_printf_hook(char *dst, size_t dstlen, printf_hook_spec_t *spec, } if (spec->minus) { - return print_in_hook(dst, dstlen, "%-*s", spec->width, buffer); + return print_in_hook(data, "%-*s", spec->width, buffer); } - return print_in_hook(dst, dstlen, "%*s", spec->width, buffer); + return print_in_hook(data, "%*s", spec->width, buffer); } METHOD(host_t, get_address, chunk_t, @@ -430,13 +426,15 @@ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr) { case AF_INET: { - memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in)); + memcpy(&this->address4, (struct sockaddr_in*)sockaddr, + sizeof(struct sockaddr_in)); this->socklen = sizeof(struct sockaddr_in); return &this->public; } case AF_INET6: { - memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6)); + memcpy(&this->address6, (struct sockaddr_in6*)sockaddr, + sizeof(struct sockaddr_in6)); this->socklen = sizeof(struct sockaddr_in6); return &this->public; } diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h index 0a1be6e47..a8b010544 100644 --- a/src/libstrongswan/utils/host.h +++ b/src/libstrongswan/utils/host.h @@ -155,7 +155,7 @@ struct host_t { * * @param string string of an address, such as "152.96.193.130" * @param port port number - * @return host_t, NULL if string not an address. + * @return host_t, NULL if string not an address. */ host_t *host_create_from_string(char *string, u_int16_t port); @@ -165,7 +165,7 @@ host_t *host_create_from_string(char *string, u_int16_t port); * @param string hostname to resolve * @param family family to prefer, 0 for first match * @param port port number - * @return host_t, NULL lookup failed + * @return host_t, NULL lookup failed */ host_t *host_create_from_dns(char *string, int family, u_int16_t port); @@ -174,10 +174,10 @@ host_t *host_create_from_dns(char *string, int family, u_int16_t port); * * If family is AF_UNSPEC, it is guessed using address.len. * - * @param family Address family, such as AF_INET or AF_INET6 + * @param family Address family, such as AF_INET or AF_INET6 * @param address address as chunk_t in network order * @param port port number - * @return host_t, NULL if family not supported/chunk invalid + * @return host_t, NULL if family not supported/chunk invalid */ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port); @@ -185,7 +185,7 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port); * Constructor to create a host_t object from a sockaddr struct * * @param sockaddr sockaddr struct which contains family, address and port - * @return host_t, NULL if family not supported + * @return host_t, NULL if family not supported */ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr); @@ -202,7 +202,7 @@ host_t *host_create_from_subnet(char *string, int *bits); * Create a host without an address, a "any" host. * * @param family family of the any host - * @return host_t, NULL if family not supported + * @return host_t, NULL if family not supported */ host_t *host_create_any(int family); @@ -212,8 +212,9 @@ host_t *host_create_any(int family); * Arguments are: * host_t *host * Use #-modifier to include port number + * Use +-modifier to force numeric representation (instead of e.g. %any) */ -int host_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, +int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, const void *const *args); #endif /** HOST_H_ @}*/ diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 9f0007f78..2669c2da6 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Tobias Brunner + * Copyright (C) 2009-2012 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -310,7 +310,7 @@ static void dntoa(chunk_t dn, char *buf, size_t len) len -= written; chunk_printable(data, &printable, '?'); - written = snprintf(buf, len, "%.*s", printable.len, printable.ptr); + written = snprintf(buf, len, "%.*s", (int)printable.len, printable.ptr); chunk_free(&printable); if (written < 0 || written >= len) { @@ -414,14 +414,22 @@ static status_t atodn(char *src, chunk_t *dn) } break; case SEARCH_NAME: - if (*src != ' ' && *src != '=') + if (*src == ' ' || *src == '=') + { + break; + } + else if (*src != ',' && *src != '/') { name.ptr = src; name.len = 1; whitespace = 0; state = READ_NAME; + break; } - break; + name = chunk_empty; + whitespace = 0; + state = READ_NAME; + /* fall-through */ case READ_NAME: if (*src != ',' && *src != '/' && *src != '\0') { @@ -748,8 +756,8 @@ METHOD(identification_t, matches_dn, id_match_t, /** * Described in header. */ -int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, - const void *const *args) +int identification_printf_hook(printf_hook_data_t *data, + printf_hook_spec_t *spec, const void *const *args) { private_identification_t *this = *((private_identification_t**)(args[0])); chunk_t proper; @@ -757,7 +765,7 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, if (this == NULL) { - return print_in_hook(dst, len, "%*s", spec->width, "(null)"); + return print_in_hook(data, "%*s", spec->width, "(null)"); } switch (this->type) @@ -783,7 +791,7 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: chunk_printable(this->encoded, &proper, '?'); - snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); + snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr); chunk_free(&proper); break; case ID_DER_ASN1_DN: @@ -796,8 +804,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, if (chunk_printable(this->encoded, NULL, '?') && this->encoded.len != HASH_SIZE_SHA1) { /* fully printable, use ascii version */ - snprintf(buf, sizeof(buf), "%.*s", - this->encoded.len, this->encoded.ptr); + snprintf(buf, sizeof(buf), "%.*s", (int)this->encoded.len, + this->encoded.ptr); } else { /* not printable, hex dump */ @@ -813,9 +821,9 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, } if (spec->minus) { - return print_in_hook(dst, len, "%-*s", spec->width, buf); + return print_in_hook(data, "%-*s", spec->width, buf); } - return print_in_hook(dst, len, "%*s", spec->width, buf); + return print_in_hook(data, "%*s", spec->width, buf); } METHOD(identification_t, clone_, identification_t*, @@ -1016,7 +1024,7 @@ identification_t * identification_create_from_data(chunk_t data) char buf[data.len + 1]; /* use string constructor */ - snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr); + snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr); return identification_create_from_string(buf); } diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index 3978b23f3..024fcea4b 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -342,7 +342,7 @@ identification_t * identification_create_from_sockaddr(sockaddr_t *sockaddr); * Arguments are: * identification_t *identification */ -int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, - const void *const *args); +int identification_printf_hook(printf_hook_data_t *data, + printf_hook_spec_t *spec, const void *const *args); #endif /** IDENTIFICATION_H_ @}*/ diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index 0a8789335..cface0538 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -188,6 +188,7 @@ static void uninstall_hooks() char *whitelist[] = { /* backtraces, including own */ "backtrace_create", + "safe_strerror", /* pthread stuff */ "pthread_create", "pthread_setspecific", @@ -224,6 +225,7 @@ char *whitelist[] = { "getpwent_r", "setpwent", "endpwent", + "getspnam_r", /* ignore dlopen, as we do not dlclose to get proper leak reports */ "dlopen", "dlerror", @@ -396,6 +398,35 @@ METHOD(leak_detective_t, report, void, } } +METHOD(leak_detective_t, set_state, bool, + private_leak_detective_t *this, bool enable) +{ + static struct sched_param oldparams; + static int oldpolicy; + struct sched_param params; + pthread_t thread_id; + + if (enable == installed) + { + return installed; + } + thread_id = pthread_self(); + if (enable) + { + install_hooks(); + pthread_setschedparam(thread_id, oldpolicy, &oldparams); + } + else + { + pthread_getschedparam(thread_id, &oldpolicy, &oldparams); + params.__sched_priority = sched_get_priority_max(SCHED_FIFO); + pthread_setschedparam(thread_id, SCHED_FIFO, ¶ms); + uninstall_hooks(); + } + installed = enable; + return !installed; +} + METHOD(leak_detective_t, usage, void, private_leak_detective_t *this, FILE *out) { @@ -444,7 +475,7 @@ void *malloc_hook(size_t bytes, const void *caller) hdr->magic = MEMORY_HEADER_MAGIC; hdr->bytes = bytes; - hdr->backtrace = backtrace_create(3); + hdr->backtrace = backtrace_create(2); tail->magic = MEMORY_TAIL_MAGIC; install_hooks(); @@ -513,7 +544,7 @@ void free_hook(void *ptr, const void *caller) /* memory was not allocated by our hooks */ fprintf(stderr, "freeing invalid memory (%p)", ptr); } - backtrace = backtrace_create(3); + backtrace = backtrace_create(2); backtrace->log(backtrace, stderr, TRUE); backtrace->destroy(backtrace); } @@ -569,15 +600,17 @@ void *realloc_hook(void *old, size_t bytes, const void *caller) if (hdr->magic != MEMORY_HEADER_MAGIC || tail->magic != MEMORY_TAIL_MAGIC) { - fprintf(stderr, "reallocating invalid memory (%p): " - "header magic 0x%x, tail magic 0x%x:\n", - old, hdr->magic, tail->magic); - backtrace = backtrace_create(3); + fprintf(stderr, "reallocating invalid memory (%p):\n" + "header magic 0x%x:\n", old, hdr->magic); + backtrace = backtrace_create(2); backtrace->log(backtrace, stderr, TRUE); backtrace->destroy(backtrace); } - /* clear tail magic, allocate, set tail magic */ - memset(&tail->magic, MEMORY_ALLOC_PATTERN, sizeof(tail->magic)); + else + { + /* clear tail magic, allocate, set tail magic */ + memset(&tail->magic, MEMORY_ALLOC_PATTERN, sizeof(tail->magic)); + } hdr = realloc(hdr, sizeof(memory_header_t) + bytes + sizeof(memory_tail_t)); tail = ((void*)hdr) + bytes + sizeof(memory_header_t); tail->magic = MEMORY_TAIL_MAGIC; @@ -585,7 +618,7 @@ void *realloc_hook(void *old, size_t bytes, const void *caller) /* update statistics */ hdr->bytes = bytes; hdr->backtrace->destroy(hdr->backtrace); - hdr->backtrace = backtrace_create(3); + hdr->backtrace = backtrace_create(2); /* update header of linked list neighbours */ if (hdr->next) @@ -619,6 +652,7 @@ leak_detective_t *leak_detective_create() .public = { .report = _report, .usage = _usage, + .set_state = _set_state, .destroy = _destroy, }, ); diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h index 8c80d2532..55d7e44d9 100644 --- a/src/libstrongswan/utils/leak_detective.h +++ b/src/libstrongswan/utils/leak_detective.h @@ -50,6 +50,14 @@ struct leak_detective_t { void (*usage)(leak_detective_t *this, FILE *out); /** + * Enable/disable leak detective hooks. + * + * @param TRUE to enable, FALSE to disable + * @return state active before calling set_state + */ + bool (*set_state)(leak_detective_t *this, bool enabled); + + /** * Destroy a leak_detective instance. */ void (*destroy)(leak_detective_t *this); diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c index 59d416f2f..1ff80999b 100644 --- a/src/libstrongswan/utils/linked_list.c +++ b/src/libstrongswan/utils/linked_list.c @@ -16,6 +16,7 @@ */ #include <stdlib.h> +#include <stdarg.h> #include "linked_list.h" @@ -572,3 +573,43 @@ linked_list_t *linked_list_create() return &this->public; } + +/* + * See header. + */ +linked_list_t *linked_list_create_from_enumerator(enumerator_t *enumerator) +{ + linked_list_t *list; + void *item; + + list = linked_list_create(); + + while (enumerator->enumerate(enumerator, &item)) + { + list->insert_last(list, item); + } + enumerator->destroy(enumerator); + + return list; +} + +/* + * See header. + */ +linked_list_t *linked_list_create_with_items(void *item, ...) +{ + linked_list_t *list; + va_list args; + + list = linked_list_create(); + + va_start(args, item); + while (item) + { + list->insert_last(list, item); + item = va_arg(args, void*); + } + va_end(args); + + return list; +} diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h index 293ca8661..1b5518480 100644 --- a/src/libstrongswan/utils/linked_list.h +++ b/src/libstrongswan/utils/linked_list.h @@ -299,4 +299,21 @@ struct linked_list_t { */ linked_list_t *linked_list_create(void); +/** + * Creates a linked list from an enumerator. + * + * @param enumerator enumerator over void*, gets destroyed + * @return linked_list_t object, containing enumerated values + */ +linked_list_t *linked_list_create_from_enumerator(enumerator_t *enumerator); + +/** + * Creates a linked list from a NULL terminated vararg list of items. + * + * @param first first item + * @param ... subsequent items, terminated by NULL + * @return linked_list_t object, containing passed items + */ +linked_list_t *linked_list_create_with_items(void *first, ...); + #endif /** LINKED_LIST_H_ @}*/ diff --git a/src/libstrongswan/utils/packet.c b/src/libstrongswan/utils/packet.c new file mode 100644 index 000000000..a2c329d60 --- /dev/null +++ b/src/libstrongswan/utils/packet.c @@ -0,0 +1,163 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "packet.h" + +typedef struct private_packet_t private_packet_t; + +/** + * Private data of an packet_t object. + */ +struct private_packet_t { + + /** + * Public part of a packet_t object. + */ + packet_t public; + + /** + * source address + */ + host_t *source; + + /** + * destination address + */ + host_t *destination; + + /** + * message data + */ + chunk_t data; + + /** + * actual chunk returned from get_data, adjusted when skip_bytes is called + */ + chunk_t adjusted_data; +}; + +METHOD(packet_t, set_source, void, + private_packet_t *this, host_t *source) +{ + DESTROY_IF(this->source); + this->source = source; +} + +METHOD(packet_t, set_destination, void, + private_packet_t *this, host_t *destination) +{ + DESTROY_IF(this->destination); + this->destination = destination; +} + +METHOD(packet_t, get_source, host_t*, + private_packet_t *this) +{ + return this->source; +} + +METHOD(packet_t, get_destination, host_t*, + private_packet_t *this) +{ + return this->destination; +} + +METHOD(packet_t, get_data, chunk_t, + private_packet_t *this) +{ + return this->adjusted_data; +} + +METHOD(packet_t, set_data, void, + private_packet_t *this, chunk_t data) +{ + free(this->data.ptr); + this->adjusted_data = this->data = data; +} + +METHOD(packet_t, skip_bytes, void, + private_packet_t *this, size_t bytes) +{ + this->adjusted_data = chunk_skip(this->adjusted_data, bytes); +} + +METHOD(packet_t, destroy, void, + private_packet_t *this) +{ + DESTROY_IF(this->source); + DESTROY_IF(this->destination); + free(this->data.ptr); + free(this); +} + +METHOD(packet_t, clone_, packet_t*, + private_packet_t *this) +{ + packet_t *other; + + other = packet_create(); + if (this->destination) + { + other->set_destination(other, + this->destination->clone(this->destination)); + } + if (this->source) + { + other->set_source(other, this->source->clone(this->source)); + } + if (this->data.ptr) + { + other->set_data(other, chunk_clone(this->adjusted_data)); + } + return other; +} + +/** + * Described in header. + */ +packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data) +{ + private_packet_t *this; + + INIT(this, + .public = { + .set_data = _set_data, + .get_data = _get_data, + .set_source = _set_source, + .get_source = _get_source, + .set_destination = _set_destination, + .get_destination = _get_destination, + .skip_bytes = _skip_bytes, + .clone = _clone_, + .destroy = _destroy, + }, + .source = src, + .destination = dst, + .adjusted_data = data, + .data = data, + ); + + return &this->public; +} + +/* + * Described in header. + */ +packet_t *packet_create() +{ + return packet_create_from_data(NULL, NULL, chunk_empty); +} diff --git a/src/libstrongswan/utils/packet.h b/src/libstrongswan/utils/packet.h new file mode 100644 index 000000000..5c4440115 --- /dev/null +++ b/src/libstrongswan/utils/packet.h @@ -0,0 +1,121 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup packet packet + * @{ @ingroup utils + */ + +#ifndef PACKET_H_ +#define PACKET_H_ + +typedef struct packet_t packet_t; + +#include <library.h> +#include <utils/host.h> + +/** + * Abstraction of an IP/UDP-Packet, contains data, sender and receiver. + */ +struct packet_t { + + /** + * Set the source address. + * + * @param source address to set as source (gets owned) + */ + void (*set_source)(packet_t *packet, host_t *source); + + /** + * Set the destination address. + * + * @param source address to set as destination (gets owned) + */ + void (*set_destination)(packet_t *packet, host_t *destination); + + /** + * Get the source address. + * + * @return source address (internal data) + */ + host_t *(*get_source)(packet_t *packet); + + /** + * Get the destination address. + * + * @return destination address (internal data) + */ + host_t *(*get_destination)(packet_t *packet); + + /** + * Get the data from the packet. + * + * @return chunk containing the data (internal data) + */ + chunk_t (*get_data)(packet_t *packet); + + /** + * Set the data in the packet. + * + * @param data chunk with data to set (gets owned) + */ + void (*set_data)(packet_t *packet, chunk_t data); + + /** + * Increase the offset where the actual packet data starts. + * + * The total offset applies to future calls of get_data() and clone(). + * + * @note The offset is reset to 0 when set_data() is called. + * + * @param bytes the number of additional bytes to skip + */ + void (*skip_bytes)(packet_t *packet, size_t bytes); + + /** + * Clones a packet_t object. + * + * @note Data is cloned without skipped bytes. + * + * @param clone clone of the packet + */ + packet_t* (*clone)(packet_t *packet); + + /** + * Destroy the packet, freeing contained data. + */ + void (*destroy)(packet_t *packet); +}; + +/** + * Create an empty packet + * + * @return packet_t object + */ +packet_t *packet_create(); + +/** + * Create a packet from the supplied data + * + * @param src source address (gets owned) + * @param dst destination address (gets owned) + * @param data packet data (gets owned) + * @return packet_t object + */ +packet_t *packet_create_from_data(host_t *src, host_t *dst, chunk_t data); + +#endif /** PACKET_H_ @}*/ diff --git a/src/libstrongswan/utils/tun_device.c b/src/libstrongswan/utils/tun_device.c new file mode 100644 index 000000000..36f3359c0 --- /dev/null +++ b/src/libstrongswan/utils/tun_device.c @@ -0,0 +1,461 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012 Giuliano Grassi + * Copyright (C) 2012 Ralf Sager + * Hochschule fuer Technik Rapperswil + * Copyright (C) 2012 Martin Willi + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <errno.h> +#include <fcntl.h> +#include <netinet/in.h> +#include <string.h> +#include <sys/ioctl.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <sys/stat.h> +#include <unistd.h> +#include <net/if.h> + +#ifdef __APPLE__ +#include <net/if_utun.h> +#include <netinet/in_var.h> +#include <sys/kern_control.h> +#elif defined(__linux__) +#include <linux/if_tun.h> +#else +#include <net/if_tun.h> +#endif + +#include "tun_device.h" + +#include <library.h> +#include <debug.h> +#include <threading/thread.h> + +#define TUN_DEFAULT_MTU 1500 + +typedef struct private_tun_device_t private_tun_device_t; + +struct private_tun_device_t { + + /** + * Public interface + */ + tun_device_t public; + + /** + * The TUN device's file descriptor + */ + int tunfd; + + /** + * Name of the TUN device + */ + char if_name[IFNAMSIZ]; + + /** + * Socket used for ioctl() to set interface addr, ... + */ + int sock; + + /** + * The current MTU + */ + int mtu; +}; + +/** + * Set the sockaddr_t from the given netmask + */ +static void set_netmask(struct ifreq *ifr, int family, u_int8_t netmask) +{ + int len, bytes, bits; + char *target; + + switch (family) + { + case AF_INET: + { + struct sockaddr_in *addr = (struct sockaddr_in*)&ifr->ifr_addr; + addr->sin_family = AF_INET; + target = (char*)&addr->sin_addr; + len = 4; + break; + } + case AF_INET6: + { + struct sockaddr_in6 *addr = (struct sockaddr_in6*)&ifr->ifr_addr; + addr->sin6_family = AF_INET6; + target = (char*)&addr->sin6_addr; + len = 16; + break; + } + default: + return; + } + + bytes = (netmask + 7) / 8; + bits = (bytes * 8) - netmask; + + memset(target, 0xff, bytes); + memset(target + bytes, 0x00, len - bytes); + target[bytes - 1] = bits ? (u_int8_t)(0xff << bits) : 0xff; +} + +METHOD(tun_device_t, set_address, bool, + private_tun_device_t *this, host_t *addr, u_int8_t netmask) +{ + struct ifreq ifr; + int family; + + family = addr->get_family(addr); + if ((netmask > 32 && family == AF_INET) || netmask > 128) + { + DBG1(DBG_LIB, "failed to set address on %s: invalid netmask", + this->if_name); + return FALSE; + } + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ); + memcpy(&ifr.ifr_addr, addr->get_sockaddr(addr), sizeof(sockaddr_t)); + + if (ioctl(this->sock, SIOCSIFADDR, &ifr) < 0) + { + DBG1(DBG_LIB, "failed to set address on %s: %s", + this->if_name, strerror(errno)); + return FALSE; + } +#ifdef __APPLE__ + if (ioctl(this->sock, SIOCSIFDSTADDR, &ifr) < 0) + { + DBG1(DBG_LIB, "failed to set dest address on %s: %s", + this->if_name, strerror(errno)); + return FALSE; + } +#endif /* __APPLE__ */ + + set_netmask(&ifr, family, netmask); + + if (ioctl(this->sock, SIOCSIFNETMASK, &ifr) < 0) + { + DBG1(DBG_LIB, "failed to set netmask on %s: %s", + this->if_name, strerror(errno)); + return FALSE; + } + return TRUE; +} + +METHOD(tun_device_t, up, bool, + private_tun_device_t *this) +{ + struct ifreq ifr; + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ); + + if (ioctl(this->sock, SIOCGIFFLAGS, &ifr) < 0) + { + DBG1(DBG_LIB, "failed to get interface flags for %s: %s", this->if_name, + strerror(errno)); + return FALSE; + } + + ifr.ifr_flags |= IFF_RUNNING | IFF_UP; + + if (ioctl(this->sock, SIOCSIFFLAGS, &ifr) < 0) + { + DBG1(DBG_LIB, "failed to set interface flags on %s: %s", this->if_name, + strerror(errno)); + return FALSE; + } + return TRUE; +} + +METHOD(tun_device_t, set_mtu, bool, + private_tun_device_t *this, int mtu) +{ + struct ifreq ifr; + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ); + ifr.ifr_mtu = mtu; + + if (ioctl(this->sock, SIOCSIFMTU, &ifr) < 0) + { + DBG1(DBG_LIB, "failed to set MTU on %s: %s", this->if_name, + strerror(errno)); + return FALSE; + } + this->mtu = mtu; + return TRUE; +} + +METHOD(tun_device_t, get_mtu, int, + private_tun_device_t *this) +{ + struct ifreq ifr; + + if (this->mtu > 0) + { + return this->mtu; + } + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ); + this->mtu = TUN_DEFAULT_MTU; + + if (ioctl(this->sock, SIOCGIFMTU, &ifr) == 0) + { + this->mtu = ifr.ifr_mtu; + } + return this->mtu; +} + +METHOD(tun_device_t, get_name, char*, + private_tun_device_t *this) +{ + return this->if_name; +} + +METHOD(tun_device_t, write_packet, bool, + private_tun_device_t *this, chunk_t packet) +{ + ssize_t s; + + s = write(this->tunfd, packet.ptr, packet.len); + if (s < 0) + { + DBG1(DBG_LIB, "failed to write packet to TUN device %s: %s", + this->if_name, strerror(errno)); + return FALSE; + } + else if (s != packet.len) + { + return FALSE; + } + return TRUE; +} + +METHOD(tun_device_t, read_packet, bool, + private_tun_device_t *this, chunk_t *packet) +{ + ssize_t len; + fd_set set; + bool old; + + FD_ZERO(&set); + FD_SET(this->tunfd, &set); + + old = thread_cancelability(TRUE); + len = select(this->tunfd + 1, &set, NULL, NULL, NULL); + thread_cancelability(old); + + if (len < 0) + { + DBG1(DBG_LIB, "select on TUN device %s failed: %s", this->if_name, + strerror(errno)); + return FALSE; + } + /* FIXME: this is quite expensive for lots of small packets, copy from + * local buffer instead? */ + *packet = chunk_alloc(get_mtu(this)); + len = read(this->tunfd, packet->ptr, packet->len); + if (len < 0) + { + DBG1(DBG_LIB, "reading from TUN device %s failed: %s", this->if_name, + strerror(errno)); + chunk_free(packet); + return FALSE; + } + packet->len = len; + return TRUE; +} + +METHOD(tun_device_t, destroy, void, + private_tun_device_t *this) +{ + if (this->tunfd > 0) + { + close(this->tunfd); +#ifdef __FreeBSD__ + /* tun(4) says the following: "These network interfaces persist until + * the if_tun.ko module is unloaded, or until removed with the + * ifconfig(8) command." So simply closing the FD is not enough. */ + struct ifreq ifr; + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ); + if (ioctl(this->sock, SIOCIFDESTROY, &ifr) < 0) + { + DBG1(DBG_LIB, "failed to destroy %s: %s", this->if_name, + strerror(errno)); + } +#endif /* __FreeBSD__ */ + } + if (this->sock > 0) + { + close(this->sock); + } + free(this); +} + +/** + * Initialize the tun device + */ +static bool init_tun(private_tun_device_t *this, const char *name_tmpl) +{ +#ifdef __APPLE__ + + struct ctl_info info; + struct sockaddr_ctl addr; + socklen_t size = IFNAMSIZ; + + memset(&info, 0, sizeof(info)); + memset(&addr, 0, sizeof(addr)); + + this->tunfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL); + if (this->tunfd < 0) + { + DBG1(DBG_LIB, "failed to open tundevice PF_SYSTEM socket: %s", + strerror(errno)); + return FALSE; + } + + /* get a control identifier for the utun kernel extension */ + strncpy(info.ctl_name, UTUN_CONTROL_NAME, strlen(UTUN_CONTROL_NAME)); + if (ioctl(this->tunfd, CTLIOCGINFO, &info) < 0) + { + DBG1(DBG_LIB, "failed to ioctl tundevice: %s", strerror(errno)); + close(this->tunfd); + return FALSE; + } + + addr.sc_id = info.ctl_id; + addr.sc_len = sizeof(addr); + addr.sc_family = AF_SYSTEM; + addr.ss_sysaddr = AF_SYS_CONTROL; + /* allocate identifier dynamically */ + addr.sc_unit = 0; + + if (connect(this->tunfd, (struct sockaddr*)&addr, sizeof(addr)) < 0) + { + DBG1(DBG_LIB, "failed to connect tundevice: %s", strerror(errno)); + close(this->tunfd); + return FALSE; + } + if (getsockopt(this->tunfd, SYSPROTO_CONTROL, UTUN_OPT_IFNAME, + this->if_name, &size) < 0) + { + DBG1(DBG_LIB, "getting tundevice name failed: %s", strerror(errno)); + close(this->tunfd); + return FALSE; + } + return TRUE; + +#elif defined(IFF_TUN) + + struct ifreq ifr; + + strncpy(this->if_name, name_tmpl ?: "tun%d", IFNAMSIZ); + this->if_name[IFNAMSIZ-1] = '\0'; + + this->tunfd = open("/dev/net/tun", O_RDWR); + if (this->tunfd < 0) + { + DBG1(DBG_LIB, "failed to open /dev/net/tun: %s", strerror(errno)); + return FALSE; + } + + memset(&ifr, 0, sizeof(ifr)); + + /* TUN device, no packet info */ + ifr.ifr_flags = IFF_TUN | IFF_NO_PI; + + strncpy(ifr.ifr_name, this->if_name, IFNAMSIZ); + if (ioctl(this->tunfd, TUNSETIFF, (void*)&ifr) < 0) + { + DBG1(DBG_LIB, "failed to configure TUN device: %s", strerror(errno)); + close(this->tunfd); + return FALSE; + } + strncpy(this->if_name, ifr.ifr_name, IFNAMSIZ); + return TRUE; + +#else /* !IFF_TUN */ + + /* this works on FreeBSD and might also work on Linux with older TUN + * driver versions (no IFF_TUN) */ + char devname[IFNAMSIZ]; + int i; + + if (name_tmpl) + { + DBG1(DBG_LIB, "arbitrary naming of TUN devices is not supported"); + } + + for (i = 0; i < 256; i++) + { + snprintf(devname, IFNAMSIZ, "/dev/tun%d", i); + this->tunfd = open(devname, O_RDWR); + if (this->tunfd > 0) + { /* for ioctl(2) calls only the interface name is used */ + snprintf(this->if_name, IFNAMSIZ, "tun%d", i); + break; + } + DBG1(DBG_LIB, "failed to open %s: %s", this->if_name, strerror(errno)); + } + return this->tunfd > 0; + +#endif /* !__APPLE__ */ +} + +/* + * Described in header + */ +tun_device_t *tun_device_create(const char *name_tmpl) +{ + private_tun_device_t *this; + + INIT(this, + .public = { + .read_packet = _read_packet, + .write_packet = _write_packet, + .get_mtu = _get_mtu, + .set_mtu = _set_mtu, + .get_name = _get_name, + .set_address = _set_address, + .up = _up, + .destroy = _destroy, + }, + .tunfd = -1, + .sock = -1, + ); + + if (!init_tun(this, name_tmpl)) + { + free(this); + return NULL; + } + DBG1(DBG_LIB, "created TUN device: %s", this->if_name); + + this->sock = socket(AF_INET, SOCK_DGRAM, 0); + if (this->sock < 0) + { + DBG1(DBG_LIB, "failed to open socket to configure TUN device"); + destroy(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/utils/tun_device.h b/src/libstrongswan/utils/tun_device.h new file mode 100644 index 000000000..71af0386b --- /dev/null +++ b/src/libstrongswan/utils/tun_device.h @@ -0,0 +1,112 @@ +/* + * Copyright (C) 2012 Tobias Brunner + * Copyright (C) 2012 Giuliano Grassi + * Copyright (C) 2012 Ralf Sager + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tun_device tun_device + * @{ @ingroup utils + */ + +#ifndef TUN_DEVICE_H_ +#define TUN_DEVICE_H_ + +#include <library.h> +#include <utils/host.h> + +typedef struct tun_device_t tun_device_t; + +/** + * Class to create TUN devices + * + * Creating such a device requires the CAP_NET_ADMIN capability. + * + * @note The implementation is currently very Linux specific + */ +struct tun_device_t { + + /** + * Read a packet from the TUN device + * + * @note This call blocks until a packet is available. It is a thread + * cancellation point. + * + * @param packet the packet read from the device + * @return TRUE if successful + */ + bool (*read_packet)(tun_device_t *this, chunk_t *packet); + + /** + * Write a packet to the TUN device + * + * @param packet the packet to write to the TUN device + * @return TRUE if successful + */ + bool (*write_packet)(tun_device_t *this, chunk_t packet); + + /** + * Set the IP address of the device + * + * @param addr the desired interface address + * @param netmask the netmask to use + * @return TRUE if operation successful + */ + bool (*set_address)(tun_device_t *this, host_t *addr, u_int8_t netmask); + + /** + * Bring the TUN device up + * + * @return TRUE if operation successful + */ + bool (*up)(tun_device_t *this); + + /** + * Set the MTU for this TUN device + * + * @param mtu new MTU + * @return TRUE if operation successful + */ + bool (*set_mtu)(tun_device_t *this, int mtu); + + /** + * Get the current MTU for this TUN device + * + * @return current MTU + */ + int (*get_mtu)(tun_device_t *this); + + /** + * Get the interface name of this device + * + * @return interface name + */ + char *(*get_name)(tun_device_t *this); + + /** + * Destroy a tun_device_t + */ + void (*destroy)(tun_device_t *this); + +}; + +/** + * Create a TUN device using the given name template. + * + * @param name_tmpl name template, defaults to "tun%d" if not given + * @return TUN device + */ +tun_device_t *tun_device_create(const char *name_tmpl); + +#endif /** TUN_DEVICE_H_ @}*/ |